Requirements and company policies
Different organizations have different password complexity requirements. I've seen them all. From periodic (every day) auto rotation of passwords for accounts with privileged access management to having a minimum of 128 characters of password lenght as a company policy (obviously you don't type that manually ever).
Limitations
Once in a blue moon we hit a bump and we're faced with an issue related to these company requirements. As an example NetScaler 11 & 12 had an issue with certian character not accepted in Radius secrets. In the beggining the oAuth secret didn't accept any special characters.
I hope I'll save you some time by listing a few system limits not so widely known:
-
IPMI (LOM) Password
- Password String Length - 19 characters (actually Supermicro limitation)
-
MGMT Interface Access
- Password String Length - 83 characters (local accounts)
- Password String Length - 63 characters (external directory accounts)
-
AAA Interface Access
- Password String Length - 127 characters (local accounts & external directory accounts)
No error message is displayed when exceeding the lenght in any of the cases, but simply (and silently) truncating the string.
NetScaler Local Settings
On the subject of password complexity, the NetScaler can enforce password complexity on its own.
set system parameter -strongpassword enableall
set system parameter -strongpassword enablelocal
The above command has two possible config options "enableall" & "enablelocal", both enforcing same complexity requirements on different objects. You can reference Citrix docs for the exact complexity requirements.
- enableall - enforcing on all passwords
- enablelocal - enforcing on all, excluding objects NS_FIPS, NS_CRL, NS_RSAKEY, NS_PKCS12, NS_PKCS8, NS_LDAP, NS_TACACS, NS_TACACSACTION, NS_RADIUS, NS_RADIUSACTION, NS_ENCRYPTION_PARAMS
Still the way it works is a bit confusing to me. Both commands will produce same warning message and both will enforce it for any new object (user pass, certkey pass, ldap bind pass):
Warning: [Strong Password now enabled. Please ensure all the existing user passwords adhere to this restriction. Minimum Password Length is set to 8 as default.]
Citrix advises we should update the passwords to match the strong password criteria, otherwise users with weak passwords will not be able to access the appliance. Citrix Article.
In reallity the policy will not be enforced on any already existing objects.
Creation of new objects (like importing certs and user creation) is evaluated against the strong password policy and will be met with an error if the pass does not meet the requirements, but already existing objects are not evaluated.
In my opinion it's highly likely that customers are having certificate import passwords not meeting the requirements, hence if Citrix fix this in some future build and strong pass is enabled, upon upgrading (reboot) there will be issues like missing certificates not loaded on the system or missing entire ldap actions.
To check for weak passwords you can use the below CLI:
query ns config -weakpassword -config /nsconfig/ns.conf
If you have any, a warning will be displayed:
Command: set ns rpcNode ...
Password DOES NOT meet the strong password requirements.
I would urge you to get your NetScaler devices in compliance with your company password policies.
Thank you for reading!